From 33aa7950d1dedde9e8c8a73f4c0572b594c0f2ec Mon Sep 17 00:00:00 2001 From: Rafael Mestre Date: Mon, 14 Jul 2025 10:36:00 -0400 Subject: [PATCH 1/5] feat: publish eol-scan image; document GitHub Actions workflows --- .github/workflows/ci.yml | 11 ++---- .github/workflows/release.yml | 45 ++++++++++++++++++++++++ README.md | 66 +++++++++++++++++++++++++++++++++++ ci/image.Dockerfile | 6 ++++ 4 files changed, 120 insertions(+), 8 deletions(-) create mode 100644 ci/image.Dockerfile diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f3c82877..002fb8ab 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,15 +39,10 @@ jobs: needs: shellcheck strategy: fail-fast: false + max-parallel: 3 matrix: - node: - - 20 - - 22 - - 23 - platform: - - ubuntu-latest - - macos-latest - - windows-latest + node: [20, 22, 23] + platform: [ubuntu-latest, macos-latest, windows-latest] name: "${{matrix.platform}} w/ Node.js ${{matrix.node}}.x" runs-on: ${{matrix.platform}} env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index af062956..fc4543f4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,3 +43,48 @@ jobs: run: npm publish --provenance --access public env: NODE_AUTH_TOKEN: ${{ secrets.HD_CLI_NPM_TOKEN }} + + publish-images: + name: Publish Images + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Parse tag + run: echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV + + - uses: docker/metadata-action@v5 + id: meta + with: + # Enable when we have Docker Hub set up + images: | + name=ghcr.io/herodevs/eol-scan + name=docker.io/herodevs/eol-scan,enable=false + tags: | + type=sha,format=long + type=raw,value=latest + type=raw,value=${{ env.VERSION }} + + - uses: docker/login-action@v3 + # Enable when we have Docker Hub set up + if: ${{ false }} + with: + username: ${{ vars.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - uses: docker/setup-buildx-action@v3 + - uses: docker/build-push-action@v6 + with: + context: . + file: ./ci/image.Dockerfile + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/README.md b/README.md index e8b42a41..59f180e8 100644 --- a/README.md +++ b/README.md @@ -237,3 +237,69 @@ EXAMPLES _See code: [@oclif/plugin-update](https://github.com/oclif/plugin-update/blob/v4.6.45/src/commands/update.ts)_ + +## CI/CD Usage + +You can use `@herodevs/cli` in your CI/CD pipelines to automate EOL scanning. + +### GitHub Actions + +#### Using the Docker Image (recommended) + +We provide a Docker image that's pre-configured to run EOL scans. Based on `cdxgen`, it contains build tools +for most project types and will provide best results when generating an SBOM. + +Pass any arguments supported by [`scan:eol`](#hd-scan-eol) using `with: args:`. + +```yaml +# .github/workflows/herodevs-scan.yml +name: HeroDevs EOL Scan + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run EOL Scan with Docker + uses: docker://ghcr.io/herodevs/eol-scan + with: + args: "--json" +``` + +#### Using npx + +You can use `npx` to run the CLI just like you'd run it locally. + +```yaml +# .github/workflows/herodevs-eol-scan.yml +name: HeroDevs EOL Scan + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: '20' + + - name: Run EOL Scan + run: npx @herodevs/cli@beta +``` + +**Note**: Just like when running locally, in some cases the development environment is expected to be able +to run the app. For best results, prefer [using the prebuilt image](#using-the-docker-image-recommended), but +otherwise, install all requirements before the scan step. \ No newline at end of file diff --git a/ci/image.Dockerfile b/ci/image.Dockerfile new file mode 100644 index 00000000..84a5c2b8 --- /dev/null +++ b/ci/image.Dockerfile @@ -0,0 +1,6 @@ +FROM ghcr.io/cyclonedx/cdxgen:v11.4.3 +WORKDIR /app +COPY . . +RUN npm config set update-notifier false && npm config set loglevel error +ENV NODE_NO_WARNINGS=1 +ENTRYPOINT ["npm", "exec", "-y", "@herodevs/cli@beta", "--", "scan:eol"] \ No newline at end of file From b3cb6cc3ba46bc22408cf1b4025c217dc872de49 Mon Sep 17 00:00:00 2001 From: Rafael Mestre Date: Mon, 14 Jul 2025 11:09:31 -0400 Subject: [PATCH 2/5] chore: add link to cdxgen --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 59f180e8..3337bac5 100644 --- a/README.md +++ b/README.md @@ -246,8 +246,8 @@ You can use `@herodevs/cli` in your CI/CD pipelines to automate EOL scanning. #### Using the Docker Image (recommended) -We provide a Docker image that's pre-configured to run EOL scans. Based on `cdxgen`, it contains build tools -for most project types and will provide best results when generating an SBOM. +We provide a Docker image that's pre-configured to run EOL scans. Based on [`cdxgen`](https://github.com/CycloneDX/cdxgen), +it contains build tools for most project types and will provide best results when generating an SBOM. Pass any arguments supported by [`scan:eol`](#hd-scan-eol) using `with: args:`. From 151ee2e0be4ce132d3d573527461266ee021e896 Mon Sep 17 00:00:00 2001 From: Rafael Mestre Date: Mon, 14 Jul 2025 14:40:55 -0400 Subject: [PATCH 3/5] chore: bump CI tested Node version to 24 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 002fb8ab..2d37cd7b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,7 +41,7 @@ jobs: fail-fast: false max-parallel: 3 matrix: - node: [20, 22, 23] + node: [20, 22, 24] platform: [ubuntu-latest, macos-latest, windows-latest] name: "${{matrix.platform}} w/ Node.js ${{matrix.node}}.x" runs-on: ${{matrix.platform}} From 19f4269efdba32ffd3ba653e8469b5924e6b0177 Mon Sep 17 00:00:00 2001 From: Rafael Mestre Date: Mon, 14 Jul 2025 14:41:12 -0400 Subject: [PATCH 4/5] chore: add GitLab steps and improve readme --- README.md | 44 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 35 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 3337bac5..38ce86e8 100644 --- a/README.md +++ b/README.md @@ -242,17 +242,15 @@ _See code: [@oclif/plugin-update](https://github.com/oclif/plugin-update/blob/v4 You can use `@herodevs/cli` in your CI/CD pipelines to automate EOL scanning. -### GitHub Actions - -#### Using the Docker Image (recommended) +### Using the Docker Image (recommended) We provide a Docker image that's pre-configured to run EOL scans. Based on [`cdxgen`](https://github.com/CycloneDX/cdxgen), it contains build tools for most project types and will provide best results when generating an SBOM. -Pass any arguments supported by [`scan:eol`](#hd-scan-eol) using `with: args:`. +#### GitHub Actions ```yaml -# .github/workflows/herodevs-scan.yml +# .github/workflows/herodevs-eol-scan.yml name: HeroDevs EOL Scan on: @@ -273,10 +271,29 @@ jobs: args: "--json" ``` -#### Using npx +#### GitLab CI/CD + +```yaml +eol-scan: + image: + name: "ghcr.io/herodevs/eol-scan" + # Entrypoint or base command must be disabled due + # to GitLab's execution mechanism and run manually + entrypoint: [""] + script: "npx @herodevs/cli@beta --json" +``` + +### Using `npx` You can use `npx` to run the CLI just like you'd run it locally. +> [!NOTE] +> The development environment is expected to be ready to run the app. For best results, +prefer [using the prebuilt image](#using-the-docker-image-recommended), but otherwise, prepare +all requirements before the scan step. + +#### GitHub Actions + ```yaml # .github/workflows/herodevs-eol-scan.yml name: HeroDevs EOL Scan @@ -296,10 +313,19 @@ jobs: with: node-version: '20' + - run: echo # Prepare environment, install tooling, perform setup, etc. + - name: Run EOL Scan run: npx @herodevs/cli@beta ``` -**Note**: Just like when running locally, in some cases the development environment is expected to be able -to run the app. For best results, prefer [using the prebuilt image](#using-the-docker-image-recommended), but -otherwise, install all requirements before the scan step. \ No newline at end of file +#### GitLab CI/CD + +```yaml +image: alpine + +eol-scan: + script: + - echo # Prepare environment, install tooling, perform setup, etc. + - npx@herodevs/cli@beta +``` \ No newline at end of file From 03db7c376dedab7e155b8db1c49f99df1b3c746b Mon Sep 17 00:00:00 2001 From: Rafael Mestre Date: Mon, 14 Jul 2025 14:58:39 -0400 Subject: [PATCH 5/5] chore: fix typo in readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 38ce86e8..82aef2c7 100644 --- a/README.md +++ b/README.md @@ -327,5 +327,5 @@ image: alpine eol-scan: script: - echo # Prepare environment, install tooling, perform setup, etc. - - npx@herodevs/cli@beta + - npx @herodevs/cli@beta ``` \ No newline at end of file